Solved: allowing IP directed-broadcasts with ACL

sykikchimp · ‎11-22-2004

Well, I'm trying to set up an access list on our 6509 that will allow UDP ip directed-broadcasts to any ip from any ip on port 42508. The broadcasts must go from one vlan to the next. Server (broadcast generator) is on Vlan 110. The clients are on Vlan 120. The purpose is to allow a virus management server to broadcast to a subnet (vlan) and elect a host to manage updates through.

this is the access-list:

access-list 150 permit udp any eq 42508 any

then I applied the ACL to Vlan 120 and 110 with:

Ip directed-broadcast 150

This doesn't seem to be working. If I put just "ip directed-broadcast" on the vlan interface and leave out the access-list, the broadcasts go through fine. Of course I don't want all that extra traffic going accross my router.

Any ideas?

thanks!

Charles

Kevin Dorrell · ‎11-22-2004

Are these broadcasts supposed to be from port 42508 or to port 42508. The way you have the access list, it will pass UDP broadcasts from port 42508 to any port. I am guessing that it is more likely the destination port you want to specify. If the destination port is to be 42508, then you need access-list 150 permit udp any any eq 42508.

If you want the braodcasts to propagate from vlan 110 to vlan 120, you need the ip helper-address on vlan 110, and the ip directed-broadcast on vlan 120. You will also need an ip forward-protocol udp on vlan 110. Unfortunately, all UDP broadcasts will go through the router, and they will be filtered at the egress vlan. The ip directed-broadcast 150 will not make any difference at the ingress vlan.

Of course, if the destination port is 42508, then you can be selective about what goes through the router. You can do ip forward-protocol udp 42508 on vlan 110. You could also switch off the other protocols such as NetBIOS and DHCP. Then you wouldn't need the acces-list at the outgoing vlan.

I think there must be an error in the 12.2 documentation about ip directed-broadcast, because it talks about standard access-lists from 1 to 199, and extended from 1300 to 2699. I shall investigate further, and if I find anything odd I shall post again.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipras_r/1rfipadr.htm#wp1018109

Kevin Dorrell

Luxembourg

P.S. The 12.0, 12.1, and 12.3 documentation all say the same thing! I thought standard was 1 to 99 and 1300 to 1999, and extended was 100 to 199 and 2000 to 2699. What is going on?

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/ipras_r/ip1_i1g.htm#wp1081245

View solution in original post

Kevin Dorrell · ‎11-22-2004

Are these broadcasts supposed to be from port 42508 or to port 42508. The way you have the access list, it will pass UDP broadcasts from port 42508 to any port. I am guessing that it is more likely the destination port you want to specify. If the destination port is to be 42508, then you need access-list 150 permit udp any any eq 42508.

If you want the braodcasts to propagate from vlan 110 to vlan 120, you need the ip helper-address on vlan 110, and the ip directed-broadcast on vlan 120. You will also need an ip forward-protocol udp on vlan 110. Unfortunately, all UDP broadcasts will go through the router, and they will be filtered at the egress vlan. The ip directed-broadcast 150 will not make any difference at the ingress vlan.

Of course, if the destination port is 42508, then you can be selective about what goes through the router. You can do ip forward-protocol udp 42508 on vlan 110. You could also switch off the other protocols such as NetBIOS and DHCP. Then you wouldn't need the acces-list at the outgoing vlan.

I think there must be an error in the 12.2 documentation about ip directed-broadcast, because it talks about standard access-lists from 1 to 199, and extended from 1300 to 2699. I shall investigate further, and if I find anything odd I shall post again.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipras_r/1rfipadr.htm#wp1018109

Kevin Dorrell

Luxembourg

P.S. The 12.0, 12.1, and 12.3 documentation all say the same thing! I thought standard was 1 to 99 and 1300 to 1999, and extended was 100 to 199 and 2000 to 2699. What is going on?

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/ipras_r/ip1_i1g.htm#wp1081245

sykikchimp · ‎11-23-2004

IT WORKS! Thanks! I did indeed have my access-list wrong.

this is the config I'm running right now on those 2 vlans.. for reference:

interface Vlan110

ip address 10.141.1.5 255.255.255.0

ip helper-address 10.141.1.50

no ip redirects

ip directed-broadcast 150

standby ip 10.141.1.1

standby timers 2 6

standby priority 110

standby preempt

!

interface Vlan120

ip address 10.141.2.5 255.255.255.128

ip helper-address 10.141.1.50

no ip redirects

ip directed-broadcast 150

ip policy route-map client

standby ip 10.141.2.1

standby timers 2 6

standby priority 110

standby preempt

We already had IP helper b/c of dhcp. I didn't think it passed anything but those type of requests..

again, Thank you!

Charles

Kevin Dorrell · ‎11-23-2004

Glad it's working now. Just one small thing, I guess that in the VLAN 110 config, you don't mean ip helper-address 10.141.1.50. If anything, I guess it should more likely be ip helper-address 10.141.2.127.

But if it does actually say 10.141.1.50, then it probably isn't actually doing anything, and you can get away without it. And in that case, you probably don't need the ip directed-broadcast 150 on VLAN 120 either. Which means you only need the broadcasts from the PC network to the server, and not the other way.

Kevin Dorrell

Luxembourg